ICO publishes new guidance on subject access requests

The ICO recently published its much anticipated “Right of Access Guidance” on subject access requests (SARs). The guidance is the result of an earlier ICO consultation and is intended to assist organisations dealing with SARs – it will be of particular interest to data protection officers and others with specific data protection responsibilities.

What is a SAR and why is it important?

A data subject’s right of access is a fundamental right to obtain a copy of their personal data from a data controller, as well as certain additional information, in order to understand how and why their data is being used. As individuals become increasingly aware of their data-related rights, good SAR compliance is key to compliance and crucial in building trust between organisations and individuals.

What does the guidance say?

The guidance is wide-ranging and detailed but has provided particular clarity on the following key areas.

1. Stopping the clock for clarification

The GDPR sets out tight timescales for organisations to respond to SARs. Generally, organisations must comply with a SAR without undue delay and, at the latest, within one month of receipt of the request for information. The ICO has advised that where a SRA is complex, for example because an organisation processes a large amount of information about an individual and seeks clarification about the information requested, the time limit for responding can be paused until the organisation receives clarification of the request.

2. What is considered a manifestly unfounded or manifestly excessive request

Where a SAR is manifestly unfounded or excessive, an organisation can either charge a “reasonable fee” or refuse to comply with the SAR. The ICO has provided additional guidance on determining what is manifestly unfounded or manifestly excessive.

The ICO has explained that a request may be deemed “manifestly unfounded” where:

  • an individual clearly has no intention to exercise their right of access, e.g. where an individual makes a SAR, but then offers to withdraw it in return for some form of benefit from the organisation; or
  • the SAR is malicious in intent and is being used to harass an organisation with no real purpose other than to cause disruption e.g. it makes unsubstantiated, malicious accusations against the organisation or specific employees or targets a particular employee against whom they have some personal grudge.

However, if an individual genuinely wants to exercise their rights, it is unlikely that the request will be manifestly unfounded.

In order to determine whether a SAR is “manifestly excessive”, the organisation must consider whether it is clearly or obviously unreasonable. This will involve assessing whether the SAR is proportionate when balanced with the burden or costs involved in dealing with the SAR. All the circumstances of the SAR will need to be considered. SARs will not be “manifestly excessive” just because large volumes of information have been requested.

3. What can be included when charging a fee for excessive, unfounded or repeat requests?

Generally, organisations may not charge a fee to comply with a SAR. However, where a SAR is manifestly unfounded or excessive or an individual requests further copies of their data following a request, the organisation may charge a “reasonable fee”. The ICO has confirmed that when determining a reasonable fee, an organisation can take into account the administrative costs of:

  • assessing whether or not an organisation is processing the information;
  • locating, retrieving and extracting the information;
  • providing a copy of the information; and
  • communicating the response, including contacting the individual to inform them that the organisation holds the requested information (even if it is not providing the information).

The fee may also include the costs of photocopying, printing, postage, equipment and supplies (such as discs, envelopes or USB devices) and staff time. Costs associated with staff time should be based on the estimated time it will take staff to comply with the request, charged at a reasonable hourly rate. It is the organisation’s responsibility to ensure that it charges a reasonable rate and it is good practice for organisations to establish an unbiased set of criteria for charging fees which are clear, concise and accessible and make this available on request.

What does this mean for businesses?

The guidance will be welcomed by many organisations, especially those receiving a high volume of SARs which can often be time-consuming and resource-intensive. In addition to the three areas outlined above, the guidance provides lots of helpful material on recognising and responding to SARs, as well as covering exemptions and requests which relate to certain categories of data such as credit files and health data. Accordingly, organisations would be well advised to familiarise themselves with the guidance.

If you have any questions about SARs or other data protection related matters, please contact a member of our specialist GDPR & Cyber Security team who will be able to assist.

GDPR & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts

  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 23 hours ago
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021
  • For the last of our IGTV mini-series, we hear from Katie MacLeod. She will be giving an insight into what it’s like… https://t.co/0v2nNQ9zzZ 14/07/2021
  • RT @marikaflawyer: Exciting opportunity for Associate in our award winning Family Law team #familylaw #LegalCareer https://t.co/z3WEtfFJUo 14/07/2021
  • MacRoberts is recruiting! We are currently looking for an Associate to join our Family Law team in Edinburgh or Gl… https://t.co/CaitiMeVBs 14/07/2021
  • Last week, the UK Government took the decision to relax the rules on the length of time lorry drivers can work as a… https://t.co/o559McerYg 13/07/2021